(22) Kwalunkwe pproċessar ta’ data personali fil-kuntest tal-attivitajiet ta’ stabbiliment ta’ kontrollur jew proċessur fl-Unjoni għandu jsir f’konformità ma’ dan ir-Regolament, irrispettivament minn jekk l-ipproċessar innifsu jseħħx fl-Unjoni jew le.
L-istabbiliment jimplika l-eżerċizzju effettiv u reali ta’ attività permezz ta’ arranġamenti stabbli.
Il-forma legali ta’ dawn l-arranġamenti, sew jekk permezz ta’ fergħa jew sussidjarja b’personalità ġuridika, mhijiex il-fattur determinanti f’dak ir-rigward.
(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.
Establishment implies the effective and real exercise of activity through stable arrangements.
The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)
General Data Protection Regulation (EU GDPR)
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
Before considering what is meant by “an establishment in the Union” it is first necessary to identify who is the controller or processor for a given processing activity. According to the definition in Article 4(7) of the GDPR, controller means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A processor, according to Article 4(8) of the GDPR, is “a natural or legal person, public authority, 6 Adopted agency or other body which processes personal data on behalf of the controller”. As established by relevant CJEU case law and previous WP29 opinion, the determination of whether an entity is a controller or processor for the purposes of EU data protection law is a key element in the assessment of the application of the GDPR to the personal data processing in question.